10
10 Description  Two antithesis metrics  Vulnerability of the network Total node vulnerability Node vulnerability = Total component vulnerability The network is compromised if no component is functional.  Survivability of the network (1 - Vulnerability of the network) Introduction Problem Solution Experiments Conclusion

11
11 Description  Assumptions 1. The attacker’s objective is to maximize the total vulnerability of the network against hazardous events. 2. The defender’s objective is to minimize the total vulnerability by redundancy allocation. 3. Both attacker and defender have complete information about the network topology. 4. Both attacker and defender have resource budget limitations. 5. Only node attack is considered. 6. Only malicious attacks are considered. Introduction Problem Solution Experiments Conclusion

12
12 Description 7. Only AS-level networks are considered. 8. A node is only subject to attack if a path exists from attacker’s position to that node, and all the intermediate nodes on the path have been compromised. 9. “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level. 10. Failures of individual components are independent. 11. All redundant components are in a hot-standby state. 12. All redundant components which are compromised by attacker are never repaired or detected. Introduction Problem Solution Experiments Conclusion

14
14 Description  Objective  For attacker, to maximize the vulnerability against hazardous events.  For defender, to minimize the maximized vulnerability against hazardous events.  Subject to  The total defense cost must be no more than B.  The total attack cost most be no more than A.  The node to be attacked must be connected to the existing attack tree.  To determine  Defender: redundancy allocation policy.  Attacker: which nodes to attack, and attack power. Introduction Problem Solution Experiments Conclusion

16
16 Formulation (RAPMA) Introduction Problem Solution Experiments Conclusion “A node is compromised” if and only if the primary component deployed to it is compromised by allocating more attack power than the minimum level.

24
24 Approach to ARS Model Introduction Problem Solution Experiments Conclusion ‧ Related to X p (Attack Tree) ‧ Time Complexity: O(|N| 2 ), where N is the number of nodes. Subproblem 1 ‧ Related to y i (Target) ‧ Time Complexity: O(|N|), where N is the number of nodes. Subproblem 2 ‧ Related to g im (Attack Power) ‧ Time Complexity: O(A|C| 2 ), where C is the number of components, A is total attack power. Subproblem 3

25
25 Approach to ARS Model Introduction Problem Solution Experiments Conclusion Step 1: Utilize the attack policy derived from Sub- problem 1 as the initial solution. Step 2: If the attack tree is available, go to Step 4, otherwise, go to Step 3. Step 3: “Recycle” the wasted attack power, which is allocated to the leaf node, and re-allocate the recycled power to the uncompromised nodes according to the associated weight,.. Go to Step 2. Step 4: Allocate residual power to reachable components according to its side effect. Getting Primal Feasible Solution W=5 W=2 W=1

43
43 Conclusion  A practical approach is proposed to effectively solve RAP; therefore, continuous service can be realized.  As a whole, a network with higher average degree is more robust.  Defense-in-depths might be the best strategy in designing a robust network. Introduction Problem Solution Experiments Conclusion

44
44 Contribution  We propose a more robust framework which assists organization in providing continuous service via redundant allocation.  From our survey of literature, we might be the pioneer to consider malicious attacks and hazardous events at the same time.  Besides, RAP is extended to the realm of network management. Introduction Problem Solution Experiments Conclusion